Sujet Précédent Sujet Suivant

Windows security center

Résolu/Fermé
Flopi - 27 oct. 2007 à 20:32
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 - 28 oct. 2007 à 14:20
Bonjour, (j'aime bien cette intro) bon comme bon nombre de personnes ici, j'ai un problème avec ce virus qui serait d'apres ce que j'ai lu un faux anti spyware et donc j'ai déjà fait hijackthis pour un petit gain de temps.

Merci de votre aide

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:30:46, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot\SpybotSD.exe
C:\Program Files\Pinnacle\MediaCenter\PMC.exe
C:\Program Files\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe
F:\Mes documents\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21a6581f-837b-4dbb-b8cd-79783b0e840d} - C:\WINDOWS\system32\avicper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {638F1A7A-8780-44E9-BF4D-AC1B4F8F1A4E} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll
O2 - BHO: (no name) - {831B22D5-9642-4F5D-9A49-8D2C256F1FBC} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\wiehmytw.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\xxyvwtr.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\enzkwiyx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\enzkwiyx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [vyzifmrk] rundll32.exe "C:\Program Files\vyzifmrk\zclofmrs.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\knjdrbst.dll",b
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp29.tmp.exe"
O4 - HKCU\..\RunOnce: [Q3E Minimizer v1.45] E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://onedrive.live.com/
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avicper - avicper.dll (file missing)
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: enzkwiyx - C:\WINDOWS\SYSTEM32\enzkwiyx.dll
O20 - Winlogon Notify: fccbxvs - C:\WINDOWS\SYSTEM32\fccbxvs.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O20 - Winlogon Notify: xxyvwtr - xxyvwtr.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
A voir également:

21 réponses

  • 1
  • 2
Réponse 1 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
27 oct. 2007 à 20:34
bonsoir,

je pense qu'il y a plusieurs infections

* Télécharge SmitfraudFix de S!Ri, balltrap34 et moe31

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

* Installe le à la racine de C

* double clic sur l'exe pour le décompresser et lancer le fix.
Utilisation ----- option 1 - Recherche :
* Double clique sur smitfraudfix.cmd
* Sélectionne 1 pour créer un rapport des fichiers responsables de l'infection.
* Poste le rapport ici
process.exe est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool. Il ne s'agit pas d'un virus, mais d'un utilitaire destiné à mettre fin à des processus. Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus.



et


Télécharge navilog1 (Merci il.mafioso!)

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

* Ensuite double clique sur navilog1.exe pour lancer l'installation.

* Une fois l'installation terminée, le fix s'exécutera automatiquement.

* (Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).

* Laisse-toi guider. Au menu principal, choisis 1 et valides.

/*\ Ne fais pas le choix 2,3 ou 4 sans notre avis/accord /*\

* Patiente jusqu'au message : *** Analyse terminée le ..... ***

* Appuie sur une touche comme demandé, le Bloc-notes va s'ouvrir.

* Copie-colle l'intégralité du rapport dans ta prochaine réponse. Referme le Bloc-notes.

* Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)
0
Réponse 2 / 21
Flopi
27 oct. 2007 à 20:51
et de 1,

SmitFraudFix v2.242

Rapport fait à 20:39:34,87, sam. 27/10/2007
Executé à partir de C:\Documents and Settings\Admin\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot\SpybotSD.exe
C:\Program Files\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\Favoris


»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Miniport d'ordonnancement de paquets
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FC41AF2E-47C8-43CE-B22B-C38835E31EFB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FC41AF2E-47C8-43CE-B22B-C38835E31EFB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FC41AF2E-47C8-43CE-B22B-C38835E31EFB}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin


Et de 2,

Search Navipromo version 3.3.2 commencé le sam. 27/10/2007 à 20:45:06,42

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

Outil exécuté depuis C:\Program Files\navilog1
Mise à jour le 22.10.2007 à 19h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 6.0.2900.2180


*** Recherche Programmes installés ***




*** Recherche dossiers dans C:\WINDOWS ***



*** Recherche dossiers dans C:\Program Files ***



*** Recherche dossiers dans C:\Documents and Settings\All Users\Application Data ***




*** Recherche dossiers dans C:\Documents and Settings\Admin\Application Data ***


*** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1 ***


*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net

Aucun fichier trouvé dans :

- C:\WINDOWS\system32
- C:\DOCUME~1\ADMIN\LOCALS~1\APPLIC~1



*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans C:\WINDOWS\system32 *

* Recherche dans C:\DOCUME~1\ADMIN\LOCALS~1\APPLIC~1 *



*** Recherche fichiers ***




*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:
C:\WINDOWS\system32\abadd.bak1 trouvé ! infection Vundo possible non traitée par cet outil !
C:\WINDOWS\system32\abadd.bak2 trouvé ! infection Vundo possible non traitée par cet outil !
C:\WINDOWS\system32\yyadd.bak2 trouvé ! infection Vundo possible non traitée par cet outil !

2)Recherche Heuristique :

C:\WINDOWS\system32\kpwtkylc.exe trouvé !


3)Recherche Certificats :

Certificat Egroup absent !


*** Analyse terminée le sam. 27/10/2007 à 20:48:45,54 ***
0
Réponse 3 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
27 oct. 2007 à 20:56
OK

* Double clique sur le raccourci Navilog1 présent sur le bureau et laisse-toi guider.

* Au menu principal, choisis 2 et valide.

* Le fix va t'informer qu'il va alors redémarrer ton PC

* Ferme toutes les fenêtres ouvertes et enregistre tes documents personnels ouverts

* Appuie sur une touche comme demandé. (si ton Pc ne redémarre pas automatiquement, fais le toi même)

* Au redémarrage de ton PC, choisis ta session habituelle.

* Patiente jusqu'au message : *** Nettoyage Termine le ..... ***

* Le Bloc-notes va s'ouvrir.

* Sauvegarde le rapport de manière à le retrouver.

* Referme le Bloc-Notes. Ton bureau va réapparaître.

* Note : Si ton bureau ne réapparaît pas, fais CTRL+ALT+SUPP pour ouvrir le gestionnaire de tâches.

* Rends-toi à l'onglet "Processus", clique en haut à gauche sur > Fichiers et choisis > Exécuter

* Tape explorer et valide. Celà te fera apparaître ton Bureau.

* Tu posteras le rapport de Navilog1

ET

* Télécharge VundoFix.exe (par Atribune) sur ton Bureau

http://www.atribune.org/ccount/click.php?id=4

* Double-clique VundoFix.exe afin de le lancer

* Clique sur le bouton Scan for Vundo

* Lorsque le scan est complété, clique sur le bouton Remove Vundo

* Une invite te demandera si tu veux supprimer les fichiers, clique YES

* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers

* Tu verras une invite qui t'annonce que ton PC va redémarrer; clique OK

* Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis dans ta prochaine réponse


Note: Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".


ainsi qu'un nouveau rapport hijackthis stp
0
Réponse 4 / 21
Flopi
27 oct. 2007 à 21:20
Navilog

Clean Navipromo version 3.3.2 commencé le sam. 27/10/2007 à 21:00:44,60

Outil exécuté depuis C:\Program Files\navilog1
Mise à jour le 22.10.2007 à 19h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 6.0.2900.2180

Mode suppression automatique



*** fsbl1.txt non trouvé ***
(Assurez-vous que Catchme n'avait rien trouvé lors de la recherche)


*** Suppression avec sauvegardes résultats GenericNaviSearch ***

* Suppression dans C:\WINDOWS\System32 *


* Suppression dans C:\DOCUME~1\ADMIN\LOCALS~1\APPLIC~1 *



*** Suppression dossiers dans C:\WINDOWS ***


*** Suppression dossiers dans C:\Program Files ***


*** Suppression dossiers dans C:\Documents and Settings\All Users\Application Data ***


*** Suppression dossiers dans C:\Documents and Settings\Admin\Application Data ***


*** Suppression dossiers dans C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1 ***



*** Suppression fichiers ***


*** Suppression fichiers temporaires ***

Nettoyage contenu C:\WINDOWS\Temp effectué !
Nettoyage contenu C:\Documents and Settings\Admin\Local Settings\Temp effectué !

*** Traitement Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:

C:\WINDOWS\system32\abadd.bak1 trouvé ! infection Vundo possible non traitée par cet outil !
C:\WINDOWS\system32\abadd.bak2 trouvé ! infection Vundo possible non traitée par cet outil !
C:\WINDOWS\system32\yyadd.bak2 trouvé ! infection Vundo possible non traitée par cet outil !

2)Recherche, création sauvegardes et suppression Heuristique :

C:\WINDOWS\system32\kpwtkylc.exe trouvé !
Copie C:\WINDOWS\system32\kpwtkylc.exe réalisé avec succès !
C:\WINDOWS\system32\kpwtkylc.exe supprimé !


*** Sauvegarde du Registre vers dossier Backupnavi ***

sauvegarde du Registre réalisé avec succès !

*** Nettoyage Registre ***

Nettoyage Registre Ok


*** Certificats ***

Certificat Egroup absent !

*** Nettoyage terminé le sam. 27/10/2007 à 21:05:33,64 ***


Vundo

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 21:08:31 27/10/2007

Listing files found while scanning....

C:\windows\system32\cydhtxdn.exe
C:\WINDOWS\system32\ddayy.dll
C:\windows\system32\dxopkvsv.exe
C:\windows\system32\eiptndit.exe
C:\WINDOWS\system32\enzkwiyx.dll
C:\windows\system32\fccbxvs.dll
C:\windows\system32\fcxucumd.exe
C:\windows\system32\ggooaequ.exe
C:\windows\system32\isxytqpw.exe
C:\windows\system32\kxurhxxs.exe
C:\windows\system32\mliqnkwi.exe
C:\windows\system32\oyduiuec.exe
C:\windows\system32\qmtvlggd.exe
C:\windows\system32\qrnsqaci.exe
C:\WINDOWS\system32\sethvgfb.dll
C:\windows\system32\tiwugpkv.exe
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp12.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\windows\system32\utxkcwhk.exe
C:\windows\system32\vayjvdmr.dll
C:\windows\system32\wgdsturv.exe
C:\WINDOWS\system32\wiehmytw.dll
C:\windows\system32\wxpydnkj.exe
C:\WINDOWS\system32\xxyvwtr.dll
C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.ini

Beginning removal...

Attempting to delete C:\windows\system32\cydhtxdn.exe
C:\windows\system32\cydhtxdn.exe Has been deleted!

Attempting to delete C:\windows\system32\dxopkvsv.exe
C:\windows\system32\dxopkvsv.exe Has been deleted!

Attempting to delete C:\windows\system32\eiptndit.exe
C:\windows\system32\eiptndit.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\enzkwiyx.dll
C:\WINDOWS\system32\enzkwiyx.dll Has been deleted!

Attempting to delete C:\windows\system32\fccbxvs.dll
C:\windows\system32\fccbxvs.dll Could not be deleted.

Attempting to delete C:\windows\system32\fcxucumd.exe
C:\windows\system32\fcxucumd.exe Has been deleted!

Attempting to delete C:\windows\system32\ggooaequ.exe
C:\windows\system32\ggooaequ.exe Has been deleted!

Attempting to delete C:\windows\system32\isxytqpw.exe
C:\windows\system32\isxytqpw.exe Has been deleted!

Attempting to delete C:\windows\system32\kxurhxxs.exe
C:\windows\system32\kxurhxxs.exe Has been deleted!

Attempting to delete C:\windows\system32\mliqnkwi.exe
C:\windows\system32\mliqnkwi.exe Has been deleted!

Attempting to delete C:\windows\system32\oyduiuec.exe
C:\windows\system32\oyduiuec.exe Has been deleted!

Attempting to delete C:\windows\system32\qmtvlggd.exe
C:\windows\system32\qmtvlggd.exe Has been deleted!

Attempting to delete C:\windows\system32\qrnsqaci.exe
C:\windows\system32\qrnsqaci.exe Has been deleted!

Attempting to delete C:\windows\system32\tiwugpkv.exe
C:\windows\system32\tiwugpkv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp1.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp12.tmp.dll
C:\WINDOWS\system32\tmp12.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll Has been deleted!

Attempting to delete C:\windows\system32\utxkcwhk.exe
C:\windows\system32\utxkcwhk.exe Has been deleted!

Attempting to delete C:\windows\system32\vayjvdmr.dll
C:\windows\system32\vayjvdmr.dll Has been deleted!

Attempting to delete C:\windows\system32\wgdsturv.exe
C:\windows\system32\wgdsturv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wiehmytw.dll
C:\WINDOWS\system32\wiehmytw.dll Has been deleted!

Attempting to delete C:\windows\system32\wxpydnkj.exe
C:\windows\system32\wxpydnkj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\fccbxvs.dll
C:\windows\system32\fccbxvs.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 21:14:50 27/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayy.dll
C:\windows\system32\fccbxvs.dll


Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:19:34, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Mes documents\Antivirus\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21a6581f-837b-4dbb-b8cd-79783b0e840d} - C:\WINDOWS\system32\avicper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {638F1A7A-8780-44E9-BF4D-AC1B4F8F1A4E} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll
O2 - BHO: (no name) - {85472ABD-89A0-4677-AE04-B842C97BE4F2} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [vyzifmrk] rundll32.exe "C:\Program Files\vyzifmrk\zclofmrs.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\knjdrbst.dll",b
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp29.tmp.exe"
O4 - HKCU\..\RunOnce: [Q3E Minimizer v1.45] E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://onedrive.live.com/
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avicper - avicper.dll (file missing)
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O20 - Winlogon Notify: xxyvwtr - xxyvwtr.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
27 oct. 2007 à 21:26
re

Télécharge combofix.exe (par sUBs) sur ton Bureau
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Double clique combofix.exe.

* Tape sur la touche Y (Yes) pour démarrer le scan.

* Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

puis


* lance hijackthis "do a system scan only" puis coche ces lignes :

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {21a6581f-837b-4dbb-b8cd-79783b0e840d} - C:\WINDOWS\system32\avicper.dll (file missing)
O2 - BHO: (no name) - {638F1A7A-8780-44E9-BF4D-AC1B4F8F1A4E} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll
O2 - BHO: (no name) - {85472ABD-89A0-4677-AE04-B842C97BE4F2} - C:\WINDOWS\system32\ddaba.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vyzifmrk] rundll32.exe "C:\Program Files\vyzifmrk\zclofmrs.dll",Init
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\knjdrbst.dll",b
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp29.tmp.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://onedrive.live.com/
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avicper - avicper.dll (file missing)
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O20 - Winlogon Notify: xxyvwtr - xxyvwtr.dll (file missing)

* toutes applications fermées et hors connexion, clique sur fix checked

reposte un rapport hijackthis avec celui de combo
0
Réponse 6 / 21
Flopi
27 oct. 2007 à 21:53
Combofix

ComboFix 07-10-26.4 - Admin 2007-10-27 21:30:38.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.467 [GMT 2:00]
Running from: F:\Mes documents\Antivirus\ComboFix.exe
* Created a new restore point
.
[i] ADS - svchost.exe: deleted 68 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\JB7NRZYT\www.broadcaster.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Admin\Bureau\Live Safety Center.lnk
C:\Documents and Settings\Admin\Bureau\Online Security Guide.lnk
C:\Documents and Settings\Admin\Favoris\Online Security Guide.lnk
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk
C:\Program Files\Fichiers communs\BestsellerAntivirus
C:\Program Files\Fichiers communs\BestsellerAntivirus\is-G8SLQ.tmp
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\dfhilm.ini
C:\WINDOWS\mlihfd.dll
C:\WINDOWS\system32\abadd.bak1
C:\WINDOWS\system32\abadd.ini
C:\WINDOWS\system32\anynxanl.dll
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\cookie.dat
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\enzkwiyx.dllbox
C:\WINDOWS\system32\kufzbhta.dllbox
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\sony.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\yoikdlcc.ini
C:\WINDOWS\system32\yoikdlcc.ini2
C:\WINDOWS\system32\yoikdlcc.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTLDR.SYS
-------\LEGACY_WINDEV-1A8-45E8
-------\ntldr.sys
-------\windev-1a8-45e8


((((((((((((((((((((((((((((( Fichiers créés 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))))))))
.

2007-10-27 21:29 340,032 --a------ C:\WINDOWS\system32\kufzbhta.dll
2007-10-27 21:28 340,032 --a------ C:\WINDOWS\system32\klxxfdkf.dll
2007-10-27 21:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 21:23 83,520 --a------ C:\WINDOWS\system32\ccldkioy.dll
2007-10-27 21:08 <REP> d-------- C:\VundoFix Backups
2007-10-27 20:42 <REP> d-------- C:\Program Files\Navilog1
2007-10-27 20:40 4,420 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 20:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-27 20:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-27 20:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-27 20:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-27 14:17 658,432 --a------ C:\WINDOWS\is-TJC48.exe
2007-10-27 14:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-25 15:38 <REP> d-------- C:\WINDOWS\system32\fkmdvbtn
2007-10-25 15:38 <REP> d-------- C:\Program Files\vyzifmrk
2007-10-25 15:38 <REP> d-------- C:\Program Files\Glxojkwc
2007-10-25 15:38 34,816 --------- C:\WINDOWS\system32\fccbxvs.dll
2007-10-13 01:09 <REP> d-------- C:\Program Files\MSXML 6.0
2007-10-10 23:05 <REP> d-------- C:\Program Files\AviSynth 2.5
2007-10-10 22:40 <REP> d-------- C:\WINDOWS\system32\fr-FR
2007-10-10 22:39 <REP> d-------- C:\Program Files\MSBuild
2007-10-10 22:35 <REP> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-10 22:34 <REP> d-------- C:\Program Files\Reference Assemblies
2007-10-10 22:34 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-10 22:23 <REP> d-------- C:\Program Files\KeepV Converter
2007-10-10 17:15 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 19:17 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2007-10-27 17:03 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-22 16:37 --------- d-----w C:\Program Files\UltimateZip
2007-10-13 12:22 --------- d-----w C:\Program Files\MIKSOFT
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 57,344 2005-06-23 19:33:00 C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\bak\apdproxy.exe

----a-w 108,160 2007-01-15 17:28:57 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

-c--a-w 864,256 2004-11-11 21:00:04 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

-c--a-w 94,208 2005-10-28 15:25:44 C:\Program Files\Fichiers communs\Ahead\Lib\bak\NMBgMonitor.exe

-c--a-r 155,648 2003-10-14 09:22:30 C:\Program Files\Fichiers communs\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 171,448 2007-02-08 16:15:23 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

-c--a-w 49,263 2006-11-09 14:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe

-c--a-w 20,480 2006-03-03 18:28:27 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\BackWeb-8876480.exe

-c--a-w 458,752 2005-06-08 14:24:32 C:\Program Files\Logitech\Video\bak\ISStart.exe

-c--a-w 217,088 2005-06-08 14:14:44 C:\Program Files\Logitech\Video\bak\LogiTray.exe

-c--a-w 196,608 2005-06-08 13:44:14 C:\Program Files\Logitech\Video\bak\ManifestEngine.exe

-c--a-w 73,728 2005-10-31 09:35:08 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\bak\Remoterm.exe

-c--a-w 282,624 2006-06-25 13:46:01 C:\Program Files\QuickTime\bak\qttask.exe

-c--a-w 40,960 2004-03-10 10:39:12 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

-c--a-w 57,393 2004-03-10 10:20:16 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

-c--a-w 15,360 2004-08-19 16:09:52 C:\WINDOWS\system32\bak\ctfmon.exe

-c--a-w 221,184 2005-07-19 16:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

-c--a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

-c--a-w 406,016 2003-11-10 15:06:08 C:\WINDOWS\system32\bak\PSDrvCheck.exe

----a-w 35,328 2006-11-21 17:38:22 E:\Program Files\Winamp\bak\winampa.exe
----a-w 36,352 2007-10-10 05:28:32 E:\Program Files\Winamp\winampa.exe

.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21a6581f-837b-4dbb-b8cd-79783b0e840d}]
C:\WINDOWS\system32\avicper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{638F1A7A-8780-44E9-BF4D-AC1B4F8F1A4E}]
C:\WINDOWS\system32\ddayy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
2007-10-25 15:38 34816 --------- C:\WINDOWS\system32\fccbxvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-27 21:29 340032 --a------ C:\WINDOWS\system32\kufzbhta.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kufzbhta.dll [2007-10-27 21:29 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 10:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 15:49]
"nwiz"="nwiz.exe" [2005-10-10 15:49 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 15:49]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" []
"CHotkey"="mHotkey.exe" [2004-09-21 12:10 C:\WINDOWS\mHotkey.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" []
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" []
"SSBkgdUpdate"="C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" []
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" []
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" []
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 18:10 C:\WINDOWS\system32\bthprops.cpl]
"WinampAgent"="E:\Program Files\Winamp\wianmpa.exe" []
"bc234373"="C:\WINDOWS\system32\ccldkioy.dll" [2007-10-27 21:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" []
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-21 17:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:55]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Q3E Minimizer v1.45"=E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Config"=%systemroot%\system32\run.cmd
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\fccbxvs.dll [2007-10-25 15:38 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avicper]
avicper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy]
C:\WINDOWS\system32\ddayy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kufzbhta]
kufzbhta.dll 2007-10-27 21:29 340032 C:\WINDOWS\system32\kufzbhta.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]
winrnt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvwtr]
xxyvwtr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaba.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 3xHybrid;Pinnacle PCTV 110i service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 ids00026;ids00026;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys
S3 ids0005c;ids0005c;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0005c.sys
S3 ids00118;ids00118;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys
S3 StMp3Rec;Pilote de périphérique de la restauration de lecteur;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 21:39:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 21:43:11 - machine was rebooted
.
--- E O F ---

Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:52:54, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
F:\Mes documents\Antivirus\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46AF7F60-AFD1-4F27-8482-83C6A29ABFB4} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kufzbhta.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kufzbhta.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\ccldkioy.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [Q3E Minimizer v1.45] E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: kufzbhta - C:\WINDOWS\SYSTEM32\kufzbhta.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
0
Réponse 7 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
27 oct. 2007 à 22:20
re

ok

tu pourras lire ceci :

https://forum.malekal.com/viewtopic.php?f=56&t=4887

puis

les manips sont longues, je te conseille de tout imprimer afin de pouvoir suivre lorsque tu seras en mode sans échec tu n'auras pas accès à internet.

Prière de faire dans l'ordre également. Merci

tu n'as pas la bonne version d'hijackthis tu reprends ici
http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis
tu posteras un nouveau rapport à la fin

ensuite

Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

puis

* redémarre en MODE SANS ECHEC
http://service1.symantec.com/support/inter/tsgeninfointl.nsf/fr_docid/20020905112131924

et

* lance hijackthis "do a system scan only" puis coche ces lignes :


O2 - BHO: (no name) - {46AF7F60-AFD1-4F27-8482-83C6A29ABFB4} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kufzbhta.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kufzbhta.dll
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\ccldkioy.dll",b
O20 - Winlogon Notify: kufzbhta - C:\WINDOWS\SYSTEM32\kufzbhta.dll

* clique sur fix checked

puis

double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste List of Files/Folders to be moved. 

C:\WINDOWS\system32\kufzbhta.dll 
C:\WINDOWS\system32\klxxfdkf.dll 
C:\WINDOWS\system32\ccldkioy.dll 
C:\WINDOWS\system32\tmp.reg 
C:\WINDOWS\system32\VCCLSID.exe 
C:\WINDOWS\system32\SrchSTS.exe 
C:\WINDOWS\system32\dumphive.exe 
C:\WINDOWS\system32\WS2Fix.exe 
C:\WINDOWS\system32\fkmdvbtn
C:\Program Files\vyzifmrk
C:\Program Files\Glxojkwc 
C:\WINDOWS\system32\fccbxvs.dll 
 C:\WINDOWS\system32\avicper.dll 
 C:\WINDOWS\system32\ddayy.dll 
C:\WINDOWS\system32\fccbxvs.dll 
C:\WINDOWS\system32\kufzbhta.dll


clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre Results.
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.



il te sera peut-être demander de redémarrer le pc pour achever la suppression.
si c'est le cas accepte par Yes.

puis redémarre normalement

et

* Assure toi d'avoir accès à tous les fichiers

-démarrer

-poste de travail ou autre dossier

-menu outils

-options de dossier

-onglet affichage

puis

- activer la case : Afficher les fichiers et dossiers cachés

- désactiver la case : Masquer les extensions des fichiers dont le type est connu

- désactiver la case : Masquer les fichier protégés du système d'exploitation

Puis - Appliquer

puis

rend toi sur le site de VIRUS TOTAL

http://www.virustotal.com/en/indexf.html

Tuto : http://pageperso.aol.fr/loraline60/virus_total.htm

pour faire analyser ces fichiers

C:\WINDOWS\is-TJC48.exe
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\system32\drivers\PnkBstrK.sys
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\msfDX.dll

tu posteras les rapports générés ici ensuite

* relance combofix et poste le rapport

puis

télécharge ERUNT afin de sauvegarder ta base de registre
https://www.zebulon.fr/telechargements/utilitaires/systeme-utilitaires/erunt.html
tuto
http://pageperso.aol.fr/loraline60/tuto_erunt.htm

ensuite

démarrer--------------exécuter--------tu tapes regedit---------ok

puis navigue jusqu'à ces clés et supprime ce qui est en gras (uniquement)
si tu as un doute, ne touche à rien reviens demander


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]
winrnt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvwtr]
xxyvwtr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaba.dll

et

* Télécharge SDFix sur ton bureau
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau.

* Redémarre ton ordinateur en mode sans échec

* Ouvre le dossier SDFix qui vient d'être créé sur le Bureau et double clique sur RunThis.bat pour lancer le script.

* Appuie sur Y pour commencer le processus de nettoyage.

Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.

* Appuie sur une touche pour redémarrer le PC.

Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.

Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.

* Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.

Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.

Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum,


ET


* relance combofix et poste le rapport

* poste également un nouveau rapport hijackthis (new version)



0
Réponse 8 / 21
Flopi
28 oct. 2007 à 00:50
Bon voila j'y suis arrivé mais bon, ca a pas l'air d'avoir bougé grand chose meme si le probleme du depart semblait avoir disparu, il est revenu apres 2-3 reboots du pc. Je te mets qd meme tout les rapports que tu as demandé.

OTmoveit

C:\WINDOWS\system32\kufzbhta.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\kufzbhta.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\klxxfdkf.dll unregistered successfully.
C:\WINDOWS\system32\klxxfdkf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ccldkioy.dll
C:\WINDOWS\system32\ccldkioy.dll NOT unregistered.
C:\WINDOWS\system32\ccldkioy.dll moved successfully.
File/Folder C:\WINDOWS\system32\temp.reg not found.
C:\WINDOWS\system32\VCCLSID.exe moved successfully.
C:\WINDOWS\system32\SrchSTS.exe moved successfully.
C:\WINDOWS\system32\dumphive.exe moved successfully.
C:\WINDOWS\system32\WS2Fix.exe moved successfully.
C:\WINDOWS\system32\fkmdvbtn moved successfully.
C:\Program Files\vyzifmrk moved successfully.
C:\Program Files\Glxojkwc moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fccbxvs.dll
C:\WINDOWS\system32\fccbxvs.dll NOT unregistered.
C:\WINDOWS\system32\fccbxvs.dll moved successfully.
File/Folder C:\WINDOWS\system32\ddayy.dll not found.
File/Folder C:\WINDOWS\system32\fccbzvs.dll not found.
C:\WINDOWS\system32\kufzbhta.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\kufzbhta.dll scheduled to be moved on reboot.

Created on 10/27/2007 22:42:34


Virus Total

Fichier spmsg2.dll reçu le 2007.10.27 23:10:01 (CET)
Situation actuelle: terminé
Résultat: 0/32 (0%)

Fichier is-TJC48.exe reçu le 2007.10.27 23:09:22 (CET)
Situation actuelle: terminé
Résultat: 0/32 (0%)

Fichier PnkBstrK.sys reçu le 2007.10.27 23:12:43 (CET)
Situation actuelle: terminé
Résultat: 0/32 (0%)

Fichier flvDX.dll reçu le 2007.10.27 23:15:19 (CET)
Situation actuelle: terminé
Résultat: 0/32 (0%)

Fichier msfDX.dll reçu le 2007.10.27 23:16:21 (CET)
Situation actuelle: terminé
Résultat: 2/31 (6.46%)



ComboFix 1

ComboFix 07-10-26.4 - Admin 2007-10-28 0:01:32.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.547 [GMT 2:00]
Running from: F:\Mes documents\Antivirus\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Bureau\Live Safety Center.lnk
C:\Documents and Settings\Admin\Bureau\Online Security Guide.lnk
C:\Documents and Settings\Admin\Favoris\Online Security Guide.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cyrokalt.dll
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\kufzbhta.dllbox

.
((((((((((((((((((((((((((((( Fichiers créés 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))))))))
.

2007-10-27 23:06 83,520 --a------ C:\WINDOWS\system32\eouyyjqj.dll
2007-10-27 22:29 <REP> d-------- C:\Program Files\Trend Micro
2007-10-27 21:29 340,032 --a------ C:\WINDOWS\system32\kufzbhta.dll
2007-10-27 21:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 21:08 <REP> d-------- C:\VundoFix Backups
2007-10-27 20:42 <REP> d-------- C:\Program Files\Navilog1
2007-10-27 20:40 4,420 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 14:17 658,432 --a------ C:\WINDOWS\is-TJC48.exe
2007-10-27 14:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-25 15:38 34,816 --------- C:\WINDOWS\system32\fccbxvs.dll
2007-10-13 01:09 <REP> d-------- C:\Program Files\MSXML 6.0
2007-10-10 23:05 <REP> d-------- C:\Program Files\AviSynth 2.5
2007-10-10 22:40 <REP> d-------- C:\WINDOWS\system32\fr-FR
2007-10-10 22:39 <REP> d-------- C:\Program Files\MSBuild
2007-10-10 22:35 <REP> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-10 22:34 <REP> d-------- C:\Program Files\Reference Assemblies
2007-10-10 22:34 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-10 22:23 <REP> d-------- C:\Program Files\KeepV Converter
2007-10-10 17:15 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 22:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2007-10-27 21:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-27 21:19 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-22 16:37 --------- d-----w C:\Program Files\UltimateZip
2007-10-13 12:22 --------- d-----w C:\Program Files\MIKSOFT
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-29 14:47 43,602 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-08-28 19:02 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-08-21 06:17 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:18 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_21.40.17.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\27-10-2007\ERDNT.EXE
+ 2007-10-27 21:52:10 5,074,944 ----a-w C:\WINDOWS\erdnt\27-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 21:52:10 122,880 ----a-w C:\WINDOWS\erdnt\27-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\ERDNT.EXE
+ 2007-10-27 21:59:03 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 21:59:04 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-10-27 22:08:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_680.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 57,344 2005-06-23 19:33:00 C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\bak\apdproxy.exe

----a-w 108,160 2007-01-15 17:28:57 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

-c--a-w 864,256 2004-11-11 21:00:04 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

-c--a-w 94,208 2005-10-28 15:25:44 C:\Program Files\Fichiers communs\Ahead\Lib\bak\NMBgMonitor.exe

-c--a-r 155,648 2003-10-14 09:22:30 C:\Program Files\Fichiers communs\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 171,448 2007-02-08 16:15:23 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

-c--a-w 49,263 2006-11-09 14:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe

-c--a-w 20,480 2006-03-03 18:28:27 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\BackWeb-8876480.exe

-c--a-w 458,752 2005-06-08 14:24:32 C:\Program Files\Logitech\Video\bak\ISStart.exe

-c--a-w 217,088 2005-06-08 14:14:44 C:\Program Files\Logitech\Video\bak\LogiTray.exe

-c--a-w 196,608 2005-06-08 13:44:14 C:\Program Files\Logitech\Video\bak\ManifestEngine.exe

-c--a-w 73,728 2005-10-31 09:35:08 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\bak\Remoterm.exe

-c--a-w 282,624 2006-06-25 13:46:01 C:\Program Files\QuickTime\bak\qttask.exe

-c--a-w 40,960 2004-03-10 10:39:12 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

-c--a-w 57,393 2004-03-10 10:20:16 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

-c--a-w 15,360 2004-08-19 16:09:52 C:\WINDOWS\system32\bak\ctfmon.exe

-c--a-w 221,184 2005-07-19 16:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

-c--a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

-c--a-w 406,016 2003-11-10 15:06:08 C:\WINDOWS\system32\bak\PSDrvCheck.exe

----a-w 35,328 2006-11-21 17:38:22 E:\Program Files\Winamp\bak\winampa.exe
----a-w 36,352 2007-10-10 05:28:32 E:\Program Files\Winamp\winampa.exe

.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
2007-10-25 15:38 34816 --------- C:\WINDOWS\system32\fccbxvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-27 21:29 340032 --a------ C:\WINDOWS\system32\kufzbhta.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kufzbhta.dll [2007-10-27 21:29 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kufzbhta.dll [2007-10-27 21:29 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 10:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 15:49]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 15:49]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" []
"CHotkey"="mHotkey.exe" [2004-09-21 12:10 C:\WINDOWS\mHotkey.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" []
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" []
"SSBkgdUpdate"="C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" []
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" []
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" []
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 18:10 C:\WINDOWS\system32\bthprops.cpl]
"WinampAgent"="E:\Program Files\Winamp\wianmpa.exe" []
"bc234373"="C:\WINDOWS\system32\eouyyjqj.dll" [2007-10-27 23:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-21 17:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:55]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Q3E Minimizer v1.45"=E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Config"=%systemroot%\system32\run.cmd
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\Admin\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-03-06 15:26:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\fccbxvs.dll [2007-10-25 15:38 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kufzbhta]
kufzbhta.dll 2007-10-27 21:29 340032 C:\WINDOWS\system32\kufzbhta.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 3xHybrid;Pinnacle PCTV 110i service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 ids00026;ids00026;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys
S3 ids0005c;ids0005c;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0005c.sys
S3 ids00118;ids00118;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys
S3 StMp3Rec;Pilote de périphérique de la restauration de lecteur;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 00:09:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 0:14:27 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 21:43
.
--- E O F ---

SDFix

SDFix: Version 1.112

Run by Admin on dim. 28/10/2007 at 00:19

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Unable To Replace Patched File!


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\CP1041.NLS - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Sun 28 Oct 2007 17,006 ..SH. --- "C:\WINDOWS\system32\kufzbhta.dllbox"
Sun 28 Oct 2007 1,313 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Fri 3 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 28 Oct 2007 4,286 A..H. --- "C:\Documents and Settings\Admin\Local Settings\Temp\ico3.tmp"
Sun 28 Oct 2007 4,286 A..H. --- "C:\Documents and Settings\Admin\Local Settings\Temp\ico4.tmp"
Sun 28 Oct 2007 4,286 A..H. --- "C:\Documents and Settings\Admin\Local Settings\Temp\ico5.tmp"
Sun 28 Oct 2007 4,286 A..H. --- "C:\Documents and Settings\Admin\Local Settings\Temp\ico6.tmp"
Sun 28 Oct 2007 4,286 A..H. --- "C:\Documents and Settings\Admin\Local Settings\Temp\ico7.tmp"
Sat 3 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 13 Nov 2004 37,376 A..H. --- "C:\Program Files\Fichiers communs\Adobe\ESD\DLMCleanup.exe"
Fri 5 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d03f71700772ecd1d20bacc33c473cd5\BIT360B.tmp"

Finished!

Combofix 2

ComboFix 07-10-26.4 - Admin 2007-10-28 0:27:41.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.578 [GMT 2:00]
Running from: F:\Mes documents\Antivirus\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Bureau\Live Safety Center.lnk
C:\Documents and Settings\Admin\Bureau\Online Security Guide.lnk
C:\Documents and Settings\Admin\Favoris\Online Security Guide.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk
C:\WINDOWS\system32\kufzbhta.dllbox

.
((((((((((((((((((((((((((((( Fichiers créés 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))))))))
.

2007-10-28 00:29 314,464 --a------ C:\WINDOWS\system32\awvvs.dll
2007-10-28 00:18 <REP> d-------- C:\WINDOWS\ERUNT
2007-10-27 23:06 83,520 --a------ C:\WINDOWS\system32\eouyyjqj.dll
2007-10-27 22:29 <REP> d-------- C:\Program Files\Trend Micro
2007-10-27 21:29 340,032 --a------ C:\WINDOWS\system32\kufzbhta.dll
2007-10-27 21:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 21:08 <REP> d-------- C:\VundoFix Backups
2007-10-27 20:42 <REP> d-------- C:\Program Files\Navilog1
2007-10-27 20:40 4,420 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 14:17 658,432 --a------ C:\WINDOWS\is-TJC48.exe
2007-10-27 14:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-25 15:38 34,816 --------- C:\WINDOWS\system32\fccbxvs.dll
2007-10-13 01:09 <REP> d-------- C:\Program Files\MSXML 6.0
2007-10-10 23:05 <REP> d-------- C:\Program Files\AviSynth 2.5
2007-10-10 22:40 <REP> d-------- C:\WINDOWS\system32\fr-FR
2007-10-10 22:39 <REP> d-------- C:\Program Files\MSBuild
2007-10-10 22:35 <REP> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-10 22:34 <REP> d-------- C:\Program Files\Reference Assemblies
2007-10-10 22:34 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-10 22:23 <REP> d-------- C:\Program Files\KeepV Converter
2007-10-10 17:15 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 22:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2007-10-27 21:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-27 21:19 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-22 16:37 --------- d-----w C:\Program Files\UltimateZip
2007-10-13 12:22 --------- d-----w C:\Program Files\MIKSOFT
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-29 14:47 43,602 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-08-28 19:02 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-08-21 06:17 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:18 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_21.40.17.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\27-10-2007\ERDNT.EXE
+ 2007-10-27 21:52:10 5,074,944 ----a-w C:\WINDOWS\erdnt\27-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 21:52:10 122,880 ----a-w C:\WINDOWS\erdnt\27-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-28\ERDNT.EXE
+ 2007-10-27 22:10:37 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-28\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:10:38 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-28\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\ERDNT.EXE
+ 2007-10-27 21:59:03 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 21:59:04 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\28-10-2007\ERDNT.EXE
+ 2007-10-27 22:26:18 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\28-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:26:19 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\28-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-10-25 07:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-10-27 22:18:30 5,091,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:18:30 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-10-25 07:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-10-27 22:18:16 5,091,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:18:16 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-10-27 22:32:54 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 57,344 2005-06-23 19:33:00 C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\bak\apdproxy.exe

----a-w 108,160 2007-01-15 17:28:57 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

-c--a-w 864,256 2004-11-11 21:00:04 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

-c--a-w 94,208 2005-10-28 15:25:44 C:\Program Files\Fichiers communs\Ahead\Lib\bak\NMBgMonitor.exe

-c--a-r 155,648 2003-10-14 09:22:30 C:\Program Files\Fichiers communs\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 171,448 2007-02-08 16:15:23 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

-c--a-w 49,263 2006-11-09 14:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe

-c--a-w 20,480 2006-03-03 18:28:27 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\BackWeb-8876480.exe

-c--a-w 458,752 2005-06-08 14:24:32 C:\Program Files\Logitech\Video\bak\ISStart.exe

-c--a-w 217,088 2005-06-08 14:14:44 C:\Program Files\Logitech\Video\bak\LogiTray.exe

-c--a-w 196,608 2005-06-08 13:44:14 C:\Program Files\Logitech\Video\bak\ManifestEngine.exe

-c--a-w 73,728 2005-10-31 09:35:08 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\bak\Remoterm.exe

-c--a-w 282,624 2006-06-25 13:46:01 C:\Program Files\QuickTime\bak\qttask.exe

-c--a-w 40,960 2004-03-10 10:39:12 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

-c--a-w 57,393 2004-03-10 10:20:16 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

-c--a-w 15,360 2004-08-19 16:09:52 C:\WINDOWS\system32\bak\ctfmon.exe

-c--a-w 221,184 2005-07-19 16:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

-c--a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

-c--a-w 406,016 2003-11-10 15:06:08 C:\WINDOWS\system32\bak\PSDrvCheck.exe

----a-w 35,328 2006-11-21 17:38:22 E:\Program Files\Winamp\bak\winampa.exe
----a-w 36,352 2007-10-10 05:28:32 E:\Program Files\Winamp\winampa.exe

.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74B9B2B5-99AC-40A7-860D-FBE6EA2CF460}]
2007-10-28 00:29 314464 --a------ C:\WINDOWS\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
2007-10-25 15:38 34816 --------- C:\WINDOWS\system32\fccbxvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-27 21:29 340032 --a------ C:\WINDOWS\system32\kufzbhta.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kufzbhta.dll [2007-10-27 21:29 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kufzbhta.dll [2007-10-27 21:29 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 10:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 15:49]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 15:49]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" []
"CHotkey"="mHotkey.exe" [2004-09-21 12:10 C:\WINDOWS\mHotkey.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" []
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" []
"SSBkgdUpdate"="C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" []
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" []
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" []
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 18:10 C:\WINDOWS\system32\bthprops.cpl]
"WinampAgent"="E:\Program Files\Winamp\wianmpa.exe" []
"bc234373"="C:\WINDOWS\system32\eouyyjqj.dll" [2007-10-27 23:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-21 17:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:55]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Q3E Minimizer v1.45"=E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Config"=%systemroot%\system32\run.cmd
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\Admin\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-03-06 15:26:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\fccbxvs.dll [2007-10-25 15:38 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kufzbhta]
kufzbhta.dll 2007-10-27 21:29 340032 C:\WINDOWS\system32\kufzbhta.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 3xHybrid;Pinnacle PCTV 110i service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 ids00026;ids00026;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys
S3 ids0005c;ids0005c;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0005c.sys
S3 ids00118;ids00118;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys
S3 StMp3Rec;Pilote de périphérique de la restauration de lecteur;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 00:33:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 0:38:23 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-28 00:14
C:\ComboFix3.txt ... 2007-10-27 21:43
.
--- E O F ---


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:39:38, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kufzbhta.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\eouyyjqj.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [Q3E Minimizer v1.45] E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
0
Réponse 9 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
28 oct. 2007 à 01:07
ok merci, je regarde les rapports

as tu fait les manips dans la base de registre ? as tu supprimé ce que je t'avais mis ? as tu trouvé ?
0
Réponse 10 / 21
Flopi
28 oct. 2007 à 01:11
Non je n'ai pas fait les manip car j'ai pas trouvé les fichiers que tu avais marqué. Il y en a qui ressemblaient mais j'ai préféré ne toucher à rien puisque d'après ce que j'ai pu comprendre je manipulais la base du software
0
Réponse 11 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
28 oct. 2007 à 01:16
re

ok merci pour ta réponse, je t'ai fait installer ERUNT justement pour palier à certains problèmes


* Télécharge VirtumundoBeGone sur ton bureau .
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* double-clic sur VirtumundoBeGone.exe

* Suis les instructions à l'écran

* Quand le scan est terminé, enregistre le rapport.

* Copie/Colle le ici

puis


* lance hijackthis puis coche ces lignes :

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kufzbhta.dll
O4 - HKLM\..\Run: [bc234373] rundll32.exe "C:\WINDOWS\system32\eouyyjqj.dll",b

* clique sur fix checked

puis

* Copie les lignes de la citation suivante, d'un trait : 

Files to Delete:
C:\WINDOWS\system32\fccbxvs.dll 
C:\WINDOWS\system32\awvvs.dll 
C:\WINDOWS\system32\eouyyjqj.dll
C:\WINDOWS\system32\kufzbhta.dll 
 C:\WINDOWS\system32\kufzbhta.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74B9B2B5-99AC-40A7-860D-FBE6EA2CF460}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kufzbhta
HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}


-> Clic droit / "copier"

Maintenant crée un nouveau document texte : clic droit de souris sur le bureau, "Nouveau" > "Document Texte".

* Ouvre-le et colle dedans ce que tu viens de copier précédemment
* Enregistre ce fichier sur ton bureau (nom : mad.txt)

* Télécharge à présent The Avenger
http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/
* Dézippe-le sur ton bureau et double-clique sur le fichier "avenger.exe"
* Clique sur "Ok"
* Sélectionne "Load Script from File" et clique sur l'icône en forme de dossier.
* Sélectionne le fichier mad.txt qui est sur ton bureau
* Clique sur le feu vert pour lancer le script
* Clique sur "Oui"
* Accepte de redémarrer ton pc

après le redémarrage :

* Ouvre le fichier C:\avenger.txt et copie/colle son contenu ici.
ainsi qu'un nouveau Log HijackThis













Il n'y a jamais de raccourci vers les endroits qui en valent la peine - Beverley Sills
* Si je ne réponds pas de suite, je ne vous ai pas oublié. Quand je commence un post, je termine :)
0
Réponse 12 / 21
Flopi
28 oct. 2007 à 01:32
Virtumundo


[10/28/2007, 1:19:40] - VirtumundoBeGone v1.5 ( "F:\Mes documents\Antivirus\VirtumundoBeGone.exe" )
[10/28/2007, 1:19:50] - Detected System Information:
[10/28/2007, 1:19:50] - Windows Version: 5.1.2600, Service Pack 2
[10/28/2007, 1:19:50] - Current Username: Admin (Admin)
[10/28/2007, 1:19:50] - Windows is in NORMAL mode.
[10/28/2007, 1:19:50] - Searching for Browser Helper Objects:
[10/28/2007, 1:19:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/28/2007, 1:19:50] - BHO 2: {355E5CE6-6BAA-47BF-BF96-2AB5C8F07DA6} ()
[10/28/2007, 1:19:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:50] - Checking for HKLM\...\Winlogon\Notify\awvvs
[10/28/2007, 1:19:50] - Key not found: HKLM\...\Winlogon\Notify\awvvs, continuing.
[10/28/2007, 1:19:51] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/28/2007, 1:19:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:51] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/28/2007, 1:19:51] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/28/2007, 1:19:51] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/28/2007, 1:19:51] - BHO 5: {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} ()
[10/28/2007, 1:19:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:51] - Checking for HKLM\...\Winlogon\Notify\fccbxvs
[10/28/2007, 1:19:51] - Key not found: HKLM\...\Winlogon\Notify\fccbxvs, continuing.
[10/28/2007, 1:19:51] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[10/28/2007, 1:19:51] - BHO 7: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
[10/28/2007, 1:19:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:51] - Checking for HKLM\...\Winlogon\Notify\kufzbhta
[10/28/2007, 1:19:51] - Found: HKLM\...\Winlogon\Notify\kufzbhta - This is probably Virtumundo.
[10/28/2007, 1:19:51] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
[10/28/2007, 1:19:51] - BHO list has been changed! Starting over...
[10/28/2007, 1:19:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/28/2007, 1:19:51] - BHO 2: {355E5CE6-6BAA-47BF-BF96-2AB5C8F07DA6} ()
[10/28/2007, 1:19:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:51] - Checking for HKLM\...\Winlogon\Notify\awvvs
[10/28/2007, 1:19:51] - Key not found: HKLM\...\Winlogon\Notify\awvvs, continuing.
[10/28/2007, 1:19:51] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/28/2007, 1:19:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:51] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/28/2007, 1:19:51] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/28/2007, 1:19:51] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/28/2007, 1:19:51] - BHO 5: {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} ()
[10/28/2007, 1:19:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:51] - Checking for HKLM\...\Winlogon\Notify\fccbxvs
[10/28/2007, 1:19:51] - Key not found: HKLM\...\Winlogon\Notify\fccbxvs, continuing.
[10/28/2007, 1:19:51] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[10/28/2007, 1:19:51] - BHO 7: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[10/28/2007, 1:19:51] - ALERT: Found MSEvents Object!
[10/28/2007, 1:19:52] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/28/2007, 1:19:52] - Finished Searching Browser Helper Objects
[10/28/2007, 1:19:52] - *** Detected MSEvents Object
[10/28/2007, 1:19:52] - Trying to remove MSEvents Object...
[10/28/2007, 1:19:53] - Terminating Process: IEXPLORE.EXE
[10/28/2007, 1:19:54] - Terminating Process: RUNDLL32.EXE
[10/28/2007, 1:19:54] - Disabling Automatic Shell Restart
[10/28/2007, 1:19:54] - Terminating Process: EXPLORER.EXE
[10/28/2007, 1:19:55] - Suspending the NT Session Manager System Service
[10/28/2007, 1:19:55] - Terminating Windows NT Logon/Logoff Manager
[10/28/2007, 1:19:56] - Re-enabling Automatic Shell Restart
[10/28/2007, 1:19:56] - File to disable: C:\WINDOWS\system32\kufzbhta.dll
[10/28/2007, 1:19:56] - Renaming C:\WINDOWS\system32\kufzbhta.dll -> C:\WINDOWS\system32\kufzbhta.dll.vir
[10/28/2007, 1:19:56] - File successfully renamed!
[10/28/2007, 1:19:56] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/28/2007, 1:19:56] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/28/2007, 1:19:56] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/28/2007, 1:19:56] - Deleting ATLEvents/MSEvents Registry entries
[10/28/2007, 1:19:57] - Removing HKLM\...\Winlogon\Notify\kufzbhta
[10/28/2007, 1:19:57] - Searching for Browser Helper Objects:
[10/28/2007, 1:19:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/28/2007, 1:19:57] - BHO 2: {355E5CE6-6BAA-47BF-BF96-2AB5C8F07DA6} ()
[10/28/2007, 1:19:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:57] - Checking for HKLM\...\Winlogon\Notify\awvvs
[10/28/2007, 1:19:57] - Key not found: HKLM\...\Winlogon\Notify\awvvs, continuing.
[10/28/2007, 1:19:57] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/28/2007, 1:19:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:57] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/28/2007, 1:19:57] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/28/2007, 1:19:57] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/28/2007, 1:19:57] - BHO 5: {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} ()
[10/28/2007, 1:19:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:19:57] - Checking for HKLM\...\Winlogon\Notify\fccbxvs
[10/28/2007, 1:19:57] - Key not found: HKLM\...\Winlogon\Notify\fccbxvs, continuing.
[10/28/2007, 1:19:57] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[10/28/2007, 1:19:57] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/28/2007, 1:19:57] - Finished Searching Browser Helper Objects
[10/28/2007, 1:19:57] - Finishing up...
[10/28/2007, 1:19:57] - A restart is needed.
[10/28/2007, 1:19:57] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[10/28/2007, 1:20:04] - Attempting to Restart via STOP error (Blue Screen!)

[10/28/2007, 1:23:14] - VirtumundoBeGone v1.5 ( "F:\Mes documents\Antivirus\VirtumundoBeGone.exe" )
[10/28/2007, 1:23:26] - Detected System Information:
[10/28/2007, 1:23:26] - Windows Version: 5.1.2600, Service Pack 2
[10/28/2007, 1:23:26] - Current Username: Admin (Admin)
[10/28/2007, 1:23:26] - Windows is in NORMAL mode.
[10/28/2007, 1:23:27] - Searching for Browser Helper Objects:
[10/28/2007, 1:23:27] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/28/2007, 1:23:27] - BHO 2: {2DCF2641-3112-408A-A398-B0972DAC1D1D} ()
[10/28/2007, 1:23:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:23:27] - Checking for HKLM\...\Winlogon\Notify\awvvs
[10/28/2007, 1:23:27] - Key not found: HKLM\...\Winlogon\Notify\awvvs, continuing.
[10/28/2007, 1:23:27] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/28/2007, 1:23:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:23:27] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/28/2007, 1:23:27] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/28/2007, 1:23:27] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/28/2007, 1:23:27] - BHO 5: {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} ()
[10/28/2007, 1:23:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/28/2007, 1:23:27] - Checking for HKLM\...\Winlogon\Notify\fccbxvs
[10/28/2007, 1:23:27] - Key not found: HKLM\...\Winlogon\Notify\fccbxvs, continuing.
[10/28/2007, 1:23:27] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[10/28/2007, 1:23:27] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/28/2007, 1:23:27] - Finished Searching Browser Helper Objects
[10/28/2007, 1:23:27] - Finishing up...
[10/28/2007, 1:23:27] - Nothing found! Exiting...



Avenger

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ddwcjgvr

*******************

Script file located at: \??\C:\WINDOWS\seroerox.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\fccbxvs.dll deleted successfully.
File C:\WINDOWS\system32\awvvs.dll deleted successfully.
File C:\WINDOWS\system32\eouyyjqj.dll deleted successfully.


File C:\WINDOWS\system32\kufzbhta.dll not found!
Deletion of file C:\WINDOWS\system32\kufzbhta.dll failed!

Could not process line:
C:\WINDOWS\system32\kufzbhta.dll
Status: 0xc0000034



File C:\WINDOWS\system32\kufzbhta.dll not found!
Deletion of file C:\WINDOWS\system32\kufzbhta.dll failed!

Could not process line:
C:\WINDOWS\system32\kufzbhta.dll
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74B9B2B5-99AC-40A7-860D-FBE6EA2CF460} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74B9B2B5-99AC-40A7-860D-FBE6EA2CF460} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kufzbhta not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kufzbhta failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:50, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DCF2641-3112-408A-A398-B0972DAC1D1D} - C:\WINDOWS\system32\awvvs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [Q3E Minimizer v1.45] E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
0
Réponse 13 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
28 oct. 2007 à 01:37
bon on y arrive

relance hijackthis puis coche ces lignes :

O2 - BHO: (no name) - {2DCF2641-3112-408A-A398-B0972DAC1D1D} - C:\WINDOWS\system32\awvvs.dll (file missing)

O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\fccbxvs.dll (file missing)


ensuite relance combo et poste le nouveau rapport stp

0
Réponse 14 / 21
Flopi
28 oct. 2007 à 01:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:18, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
C:\Program Files\Pinnacle\MediaCenter\PMC.exe
C:\Program Files\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [Q3E Minimizer v1.45] E:\Florent\Wolfenstein\Minimizer\Q3E-Minimizer for WOLF-ET_v1[1].45.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
0
Réponse 15 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
28 oct. 2007 à 01:51
c'est combo que je voudrais stp
0
Réponse 16 / 21
Flopi
28 oct. 2007 à 02:01
Oups désolé, on va dire qu'il est tard ;)

ComboFix 07-10-26.4 - Admin 2007-10-28 1:53:14.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.513 [GMT 2:00]
Running from: F:\Mes documents\Antivirus\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk
C:\WINDOWS\system32\kufzbhta.dllbox

.
((((((((((((((((((((((((((((( Fichiers créés 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))))))))
.

2007-10-28 00:45 6,465 ---hs---- C:\WINDOWS\system32\svvwa.bak1
2007-10-28 00:18 <REP> d-------- C:\WINDOWS\ERUNT
2007-10-27 22:29 <REP> d-------- C:\Program Files\Trend Micro
2007-10-27 21:29 340,032 --a------ C:\WINDOWS\system32\kufzbhta.dll.vir
2007-10-27 21:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 21:08 <REP> d-------- C:\VundoFix Backups
2007-10-27 20:42 <REP> d-------- C:\Program Files\Navilog1
2007-10-27 20:40 4,420 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 14:17 658,432 --a------ C:\WINDOWS\is-TJC48.exe
2007-10-27 14:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-13 01:09 <REP> d-------- C:\Program Files\MSXML 6.0
2007-10-10 23:05 <REP> d-------- C:\Program Files\AviSynth 2.5
2007-10-10 22:40 <REP> d-------- C:\WINDOWS\system32\fr-FR
2007-10-10 22:39 <REP> d-------- C:\Program Files\MSBuild
2007-10-10 22:35 <REP> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-10 22:34 <REP> d-------- C:\Program Files\Reference Assemblies
2007-10-10 22:34 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-10 22:23 <REP> d-------- C:\Program Files\KeepV Converter
2007-10-10 17:15 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 23:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2007-10-27 23:25 --------- d-----w C:\Program Files\UltimateZip
2007-10-27 21:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-13 12:22 --------- d-----w C:\Program Files\MIKSOFT
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_21.40.17.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\27-10-2007\ERDNT.EXE
+ 2007-10-27 21:52:10 5,074,944 ----a-w C:\WINDOWS\erdnt\27-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 21:52:10 122,880 ----a-w C:\WINDOWS\erdnt\27-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-28\ERDNT.EXE
+ 2007-10-27 22:10:37 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-28\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:10:38 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-28\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\ERDNT.EXE
+ 2007-10-27 21:59:03 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 21:59:04 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2005-03-06 13:27:46 162,816 ----a-w C:\WINDOWS\erdnt\AutoBackup\28-10-2007\ERDNT.EXE
+ 2007-10-27 22:26:18 5,091,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\28-10-2007\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:26:19 122,880 ----a-w C:\WINDOWS\erdnt\AutoBackup\28-10-2007\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-10-25 07:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-10-27 22:18:30 5,091,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:18:30 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-10-25 07:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-10-27 22:18:16 5,091,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-10-27 22:18:16 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
- 2007-10-27 17:03:11 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2007-10-27 21:19:41 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2007-10-27 23:56:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_670.dat
+ 2007-10-27 23:57:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_8ac.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 57,344 2005-06-23 19:33:00 C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\bak\apdproxy.exe

----a-w 108,160 2007-01-15 17:28:57 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

-c--a-w 864,256 2004-11-11 21:00:04 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

-c--a-w 94,208 2005-10-28 15:25:44 C:\Program Files\Fichiers communs\Ahead\Lib\bak\NMBgMonitor.exe

-c--a-r 155,648 2003-10-14 09:22:30 C:\Program Files\Fichiers communs\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 171,448 2007-02-08 16:15:23 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

-c--a-w 49,263 2006-11-09 14:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe

-c--a-w 20,480 2006-03-03 18:28:27 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\BackWeb-8876480.exe

-c--a-w 458,752 2005-06-08 14:24:32 C:\Program Files\Logitech\Video\bak\ISStart.exe

-c--a-w 217,088 2005-06-08 14:14:44 C:\Program Files\Logitech\Video\bak\LogiTray.exe

-c--a-w 196,608 2005-06-08 13:44:14 C:\Program Files\Logitech\Video\bak\ManifestEngine.exe

-c--a-w 73,728 2005-10-31 09:35:08 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\bak\Remoterm.exe

-c--a-w 282,624 2006-06-25 13:46:01 C:\Program Files\QuickTime\bak\qttask.exe

-c--a-w 40,960 2004-03-10 10:39:12 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

-c--a-w 57,393 2004-03-10 10:20:16 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

-c--a-w 15,360 2004-08-19 16:09:52 C:\WINDOWS\system32\bak\ctfmon.exe

-c--a-w 221,184 2005-07-19 16:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

-c--a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

-c--a-w 406,016 2003-11-10 15:06:08 C:\WINDOWS\system32\bak\PSDrvCheck.exe

----a-w 35,328 2006-11-21 17:38:22 E:\Program Files\Winamp\bak\winampa.exe
----a-w 36,352 2007-10-10 05:28:32 E:\Program Files\Winamp\winampa.exe

.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 10:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 15:49]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 15:49]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" []
"CHotkey"="mHotkey.exe" [2004-09-21 12:10 C:\WINDOWS\mHotkey.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" []
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" []
"SSBkgdUpdate"="C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" []
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" []
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" []
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 18:10 C:\WINDOWS\system32\bthprops.cpl]
"WinampAgent"="E:\Program Files\Winamp\wianmpa.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-21 17:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:55]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Config"=%systemroot%\system32\run.cmd
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\Admin\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-03-06 15:26:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoSMHelp"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 3xHybrid;Pinnacle PCTV 110i service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 ids00026;ids00026;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys
S3 ids0005c;ids0005c;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0005c.sys
S3 ids00118;ids00118;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys
S3 StMp3Rec;Pilote de périphérique de la restauration de lecteur;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 01:56:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 2:00:06 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-28 00:38
C:\ComboFix3.txt ... 2007-10-28 00:14
.
--- E O F ---
0
Réponse 17 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
28 oct. 2007 à 02:04
parfait

on va dire que tout devrait être bon maintenant.

Comment se comporte ton pc ?

0
Réponse 18 / 21
Flopi
28 oct. 2007 à 02:09
Vraiment super bien, il est plus rapide qu'avant et je n'ai plus le gros problème de départ qui me faisait aller sur un site toutes les 30 secondes... je te remercie de ta patience et de tout ce que tu as fait pour m'aider! Ca fait plaisir de rencontrer des personnes comme toi qui aident pour le plaisir de le faire.

Un tout grand merci !!!
0
Réponse 19 / 21
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
28 oct. 2007 à 02:12
parfait

mais comme je suis une perfectionniste, j'aimerais que tu fasses un petit scan antivirus en ligne maintenant

* Fait un scan antivirus en ligne avec Internet Explorer
https://www.bitdefender.fr/
et copie colle le résultat ici
* En bas, à gauche de la fenêtre, clique sur BitDefender SCAN ONLINE
* Dans la nouvelle fenêtre, clique sur I agree
* La fenêtre change encore, clique sur Click here to scan
* Les signatures se chargent, etc.

tuto en image

http://pageperso.aol.fr/rginformatique/mapage/defender.htm

je verrais le rapport demain

bonne nuit

j'aurais aussi des consignes à te donner, pour terminer
0
Réponse 20 / 21
Flopi
28 oct. 2007 à 11:46
Et voila pour le scan en ligne...

<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner - Rapport d'analyse</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >


<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
<p><font face="Arial" color=red><span style="font-size:14pt;"><b>BitDefender Online Scanner</b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td colspan="3" width="912">
<p><font face="Arial"><span style="font-size:11pt;"><B>Rapport d'analyse généré à: Sun, Oct 28, 2007 - 04:19:35</b></span></font></p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>Voie d'analyse: </b></span><span style="font-size:10pt;">A:\;C:\;D:\;E:\;F:\;</span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Statistiques</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Temps</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">02:36:30</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Fichiers</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">364294</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Directoires</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">9798</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Secteurs de boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1580</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Paquets programmes</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">56281</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>



<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Résultats</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Virus identifiés</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">16</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Fichiers infectés</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">43</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Fichiers suspects</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Avertissements</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Désinfectés</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Fichiers effacés</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">43</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Info sur les moteurs</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Définition virus</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">858491</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Version des moteurs</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Analyse des plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">14</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archive des plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">38</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Unpack des plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">7</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">E-mail plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Système plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Paramètres d'analyse</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Première action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Désinfecté</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Seconde Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Heuristique</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Acceptez les avertissements</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Extensions analysées</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">*;</font></p>
</td>
</tr>

<tr>
<td width="57%">
<p><font face="Arial" size="2">Excludez les extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2"> </font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Analyse d'emails</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Analyse des Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Analyser paquets programmes</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Analyse des fichiers</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Analyse de boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Oui</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Fichier analysé</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial"> Statut</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip=>avenger/awvvs.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip=>avenger/awvvs.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip=>avenger/awvvs.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Mis à jour</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip=>avenger/fccbxvs.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Vundo.DNZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip=>avenger/fccbxvs.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\avenger\backup.zip</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Mis à jour</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Alwil Software\Avast4\DATA\moved\khecay.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.BHO.AW</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Alwil Software\Avast4\DATA\moved\khecay.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Alwil Software\Avast4\DATA\moved\khecay.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\AudioPlugins\msa.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\AudioPlugins\msa.dll=>:KAVICHS</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\AudioPlugins\ogg.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\AudioPlugins\ogg.dll=>:KAVICHS</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\AudioPlugins\wav.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\AudioPlugins\wav.dll=>:KAVICHS</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Fichiers communs\Ahead\DSFilter\</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Nettoyé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Navilog1\Backupnavi\kpwtkylc.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Navilog1\Backupnavi\kpwtkylc.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\Navilog1\Backupnavi\kpwtkylc.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\ddaba.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\ddaba.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\ddaba.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\ddccd.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\ddccd.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\ddccd.dll.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Peed.NI</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\sony.exe.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: MemScan:Trojan.Peed.HRQ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\sony.exe.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\C\WINDOWS\system32\sony.exe.vir</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\catchme2007-10-28_ 00939.25.zip=>ddccd.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\catchme2007-10-28_ 00939.25.zip=>ddccd.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\catchme2007-10-28_ 00939.25.zip=>ddccd.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\qoobox\Quarantine\catchme2007-10-28_ 00939.25.zip</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Mis à jour</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\SDFix\backups\backups.zip=>backups/ndis.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Hacktool.Rootkit.AA</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\SDFix\backups\backups.zip=>backups/ndis.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\SDFix\backups\backups.zip=>backups/ndis.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\SDFix\backups\backups.zip</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Mis à jour</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000018.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Peed.NI</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000018.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000018.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000021.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000021.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000021.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000025.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: MemScan:Trojan.Peed.HRQ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000025.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP3\A0000025.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP4\A0002161.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP4\A0002161.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP4\A0002161.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP4\A0002221.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Hacktool.Rootkit.AA</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP4\A0002221.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP4\A0002221.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002346.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Détecté avec: Adware.Virtumonde.GGZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002346.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002346.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002349.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Vundo.DNZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002349.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002421.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002421.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A9AC963C-5991-438D-A08C-5A4C0CB08370}\RP5\A0002421.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\cydhtxdn.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\cydhtxdn.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\cydhtxdn.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\dxopkvsv.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\dxopkvsv.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\dxopkvsv.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\eiptndit.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\eiptndit.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\eiptndit.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\fccbxvs.dll.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Vundo.DNZ</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\fccbxvs.dll.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\fcxucumd.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\fcxucumd.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\fcxucumd.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\ggooaequ.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\ggooaequ.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\ggooaequ.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\isxytqpw.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\isxytqpw.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\isxytqpw.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\kxurhxxs.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\kxurhxxs.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\kxurhxxs.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\mliqnkwi.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Clicker.Agent.NP</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\mliqnkwi.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\mliqnkwi.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\oyduiuec.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\oyduiuec.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\oyduiuec.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\qmtvlggd.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\qmtvlggd.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Echec de la désinfection</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\qmtvlggd.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Supprimé</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\VundoFix Backups\qrnsqaci.exe.bad</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infecté par: Trojan.Fotomoto.A</fon
0